by Deb Radcliff
In addition to crippling businesses by making their data inaccessible, ransomware gangs are now routinely copying sensitive data for additional leverage to blackmail victims into paying. When victims don’t pay the blackmail, the criminals leak the sensitive documents on ransomware shaming sites. A recent example: The Scottish Environmental Protection Agency who refused to pay a ransom to the Conti ransomware gang, which then posted 4,000 files (1.2 GB) from the agency.
(Above Screen Capture of Stolen Files Provided by Kurtis Minder)
Even when victims do pay the ransom, the stolen data often shows up on dark web ransomware trading and buying sites, says ransomware investigator and payment negotiator Kurtis Minder. In those cases, new criminals try blackmailing victims again, sometimes months after victims made their payments.
What this means is that ransomware has now become a regulatory issue because sensitive data has been stolen. This trend also begs the question: If paying the ransom doesn’t protect the data and stop further blackmail, why should victims pay ransom anymore?
Now a Regulatory Problem
Imagine, for example, a ransomware attack where the victim company cannot access its own systems and a clock is ticking on sensitive data being leaked to a shaming site. All the while, they are also under regulatory pressure to assess impacted data and report the breaches to the proper authorities.
“The victim business is trying to get back on its feet and now it’s dealing with potential regulatory and legal issues,” says privacy and cyberinsurance attorney, Judy Selby. “Responders to these types of ‘double whammy’ attacks need to know what information was exposed, along with the regulatory, legal and business partner obligations related to that exposure. Meeting these requirements is significantly more complicated in a ransomware situation.”
For example, in the Scottish EPA case uncovered on December 25, 2020, agency officials are still trying to uncover what data was stolen and the sensitivity of that data. All they knew at the time of reporting is that 4,000 files were removed.
Minder, founder and CEO of GroupSense, says every ransomware case he takes on these days involves some form of sensitive data theft, which criminals use to negotiate payouts. According to a recent report by Coveware, more than half of ransomware samples it collected in early 2020 involved sensitive data theft. Top ransomware groups including Sodinokibi, Maze, Netwalker, Mespinoza, and Conti routinely use data theft in their schemes. (For a larger list go here.)
Criminals Lie
Even when ransomware criminals show proof that they deleted the data once the ransomware is paid, Minder and his team still find data files dumped on the darkweb belonging to victims who’ve paid. Many times, he adds, ransomware gangs will return with new threats of exposing the data and re-encrypting their systems.
“Now, I bookend each ransomware negotiation project with, ‘If we decide to do a transaction and pay a ransom, just remember, we’re dealing with someone who has no honor or accountability,'” he adds.
So, since the blackmail won’t stop, then why pay the ransom? If victims and insurers refuse to pay ramsons like the Scottish EPA did, the fat profits (which amounted $20billion in 2020) will simply dry up and the criminals will move to other fertile grounds where making money is easier.
Recent Comments